• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Users bypassing the ISA server????

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Users bypassing the ISA server???? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Users bypassing the ISA server???? - 17.Sep.2008 3:25:52 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
This is probably going to amount to a two part question, but I need to figure out the first part before I ask the second question.

So, there is a user on our network that keeps trying to bypass the ISA server, and seems to be doing so. I can't figure out how. I actually have two ISA servers, ISA 2006 handles all web access and site publishing and ISA 2000 handle Exchange. That will go away soon.

I have the new firewall client running on this user's computer and have a script to automatically configure IE. I know he surfs all day, but the only traffic I see in the web proxy logs is repeated connections to the wspad.dat file using the default rule. And the only traffic I see in the firewall logs is windows update and such. So it looks like traffic is being directed to that ISA.

I also see connections to the old ISA 2000 server. I have access denied to that user by the static IP on his computer, but I still see him making connections. I cannot seem to glean any more detail through logging on either ISA, so I am running network monitor to see what that reveals.

So, does anybody have experience with an issue like this? I though at first he was using proxy sites, but I would figure there would at least be some evidence of surfing if that was the case. Could he be running some kind of proxy software on his computer that doesn't require administrator privileges to run?

Yes, obviously confronting the user and auditing his computer would be the best bet, but he is kind of the company owners' pet and they act like I am picking on him when I bring up these issues. Since he knows he is being a sneaking pr*** he won't complain if I figure out how to stop him, so that is the course I have to take.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2
Post #: 1
RE: Users bypassing the ISA server???? - 17.Sep.2008 6:25:58 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Except for an ISA running as a single nic caching server,...it is impossible to bypass an ISA when an ISA is physically between the user and the Internet.  There may be a debate about which ISA service he uses,...but he will still be using the ISA.

He could be using a Public Proxy,..but he still has to use the ISA to get to the Public Proxy and that Public Proxy would show in the logs.

1. Do not have Rules for "All Users".  That equals "anonymous".  Be specific with users in your Rules and this will eliminate any SecureNAT Clients.  You may still need some of those, so if you do be very specific with your destinantions and sources in the anonymous Rules

2. Make sure you know what your WPAD configuration is really doing. Make sure it is assigning the right proxy to the users.

3. On the proxy that they should not be using,...make sure you don't have rules on it allowing users to do what you don't wnat them doing on that proxy.

4. Make sure users (at lest the problem user) is not a local admin on their machine. Then statically assign the IP Config on their machine so that you can further make Rules based on their source IP now that you will always know what it is.  You can also find log entries with that IP when the username or machine name is not listed and you will know you have the correct user. Not being a local Administrator will prevent them from changing their IP Specs.

5. You can create a Deny Rule to put at the top of the list that contains a Domain Name Set of Public Proxys to deny the users access to those.  But it will be next to impossible to maintain the list.  There are pre-built Lists that some people have created that you can use,...but I don't remember the link to the site for those. Maybe someone else here knows that.  About the only way to maintain the list is to remove and recreate the Domain Name Set each time the people that created the list comes out with a new version of the list.

Third party tools may be of use with the Public Proxys:

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

_____________________________

Phillip Windell

(in reply to manning)
Post #: 2
RE: Users bypassing the ISA server???? - 17.Sep.2008 6:39:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Nice reply Phil.

Manning >> Be interested to see what your sleuthing finds!

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 3
RE: Users bypassing the ISA server???? - 18.Sep.2008 10:39:22 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
quote:

ORIGINAL: pwindell

Except for an ISA running as a single nic caching server,...it is impossible to bypass an ISA when an ISA is physically between the user and the Internet.  There may be a debate about which ISA service he uses,...but he will still be using the ISA.

He could be using a Public Proxy,..but he still has to use the ISA to get to the Public Proxy and that Public Proxy would show in the logs.


Yeah, that's what I would expect. Some users have used public proxies in the past, but like you say, they show up in the logs. This user is determined for some reason to bypass ISA so he can surf freely at will. He seems to take it personally that there are limits at work to what he can and cannot access.

quote:

ORIGINAL: pwindell
1. Do not have Rules for "All Users".  That equals "anonymous".  Be specific with users in your Rules and this will eliminate any SecureNAT Clients.  You may still need some of those, so if you do be very specific with your destinantions and sources in the anonymous Rules


I do have an 'All Open' rule.

All Open > Allow > All Outbound > Internal > External > All Authenticated and Company Users

Do I need to tweak that?

Everything else that allows 'All Users' is a 'Deny' policy

quote:

ORIGINAL: pwindell
2. Make sure you know what your WPAD configuration is really doing. Make sure it is assigning the right proxy to the users.


I am pretty sure it is working alright. All of the other computers I have looked at have the correct proxy settings.

Can it become corrupt and need to be recreated?

quote:

ORIGINAL: pwindell
3. On the proxy that they should not be using,...make sure you don't have rules on it allowing users to do what you don't wnat them doing on that proxy.


Yeah, I'm cleaning that up right now. Actually I have been for the past several months, but I am the GTG for almost everything administrative here, so I get pulled away to do other things.

quote:

ORIGINAL: pwindell
4. Make sure users (at least the problem user) is not a local admin on their machine. Then statically assign the IP Config on their machine so that you can further make Rules based on their source IP now that you will always know what it is.  You can also find log entries with that IP when the username or machine name is not listed and you will know you have the correct user. Not being a local Administrator will prevent them from changing their IP Specs.


Nope, not a local admin. All users are power users at most. I nipped that nightmare when they fired our old Systems Administrator a year ago. However, all users with laptops have to have the ability to modify network settings due to the nature of our business. On the plus side of that tough, while most users have dynamic IPs, this user and a couple others have to use static to help facilitate how they connect to a particular client's iSeries warehouse management system. Makes his computer easy to track and block. Well, when I can figure out what he is doing and how. I do have a deny all rule for this users assigned computer right now on the old ISA.

quote:

ORIGINAL: pwindell
5. You can create a Deny Rule to put at the top of the list that contains a Domain Name Set of Public Proxys to deny the users access to those.  But it will be next to impossible to maintain the list.  There are pre-built Lists that some people have created that you can use,...but I don't remember the link to the site for those. Maybe someone else here knows that.  About the only way to maintain the list is to remove and recreate the Domain Name Set each time the people that created the list comes out with a new version of the list.


Yeah, I know that nightmare all to well. I keep my eyes on the logs looking for oddball URLs.

I need to go through yesterdays and this mornings logs to see what traffic looked like, I'll let you know if I find anything of interest, or puzzling.

I really don't get why people are so oblivious to the trouble they can cause on our network through careless surfing. I feel like I am screaming at a wall when I try to explain it to them.

< Message edited by manning -- 18.Sep.2008 10:42:34 AM >


_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 4
RE: Users bypassing the ISA server???? - 18.Sep.2008 11:01:31 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

He seems to take it personally that there are limits at work to what he can and cannot access.


He'll have to get over it

quote:

I do have an 'All Open' rule.
All Open > Allow > All Outbound > Internal > External > All Authenticated and Company Users
Do I need to tweak that?


That is not an anonymous rule, so you are fine concerning that. Any tweeking might be to limit it to http, https, and ftp.  I would probably create a specific Group for internet access and use that in the rule's User Set instead of authenticated users and company users.

quote:

 am pretty sure it is working alright. All of the other computers I have looked at have the correct proxy settings.
Can it become corrupt and need to be recreated?


If they are using the correct proxy it is probably fine

quote:

Nope, not a local admin. All users are power users at most.


That is almost as bad. I would not do that either. There is very little that a power user cannot do,...it is almost identical the the local Administrator.

quote:

However, all users with laptops have to have the ability to modify network settings due to the nature of our business.


I don't see how that could be true. They should use dynamic addressing (DHCP) so it will adjust no matter where they go with it. If you want them to behave as Static when on your LAN then use DHCP Reservations,..just don't get carried away with it,..only do that with machines that justify doing it that way.



_____________________________

Phillip Windell

(in reply to manning)
Post #: 5
RE: Users bypassing the ISA server???? - 18.Sep.2008 1:48:30 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
quote:

ORIGINAL: pwindell

quote:

Nope, not a local admin. All users are power users at most.


That is almost as bad. I would not do that either. There is very little that a power user cannot do,...it is almost identical the the local Administrator.


Rats. OK, I'll have to work on that. The issue is that our users are consultants and they have to be able to connect to other host systems and load printers etc. The load printer thing is a moot point I guess since you have to be an admin to load new drivers.

quote:

ORIGINAL: pwindell

quote:

However, all users with laptops have to have the ability to modify network settings due to the nature of our business.


I don't see how that could be true. They should use dynamic addressing (DHCP) so it will adjust no matter where they go with it. If you want them to behave as Static when on your LAN then use DHCP Reservations,..just don't get carried away with it,..only do that with machines that justify doing it that way.



When they travel to a customer's site they have to be able to connect to their network so that they can interface with the customer's WMS. It is very very rare that the customer isn't using DHCP. However once in a while the customer uses static IPs.

On our network we use DHCP, except obviously for servers and printers. The few exceptions are 3 or 4 users that need to use a specific gateway at times to get to a remote server at a customer site. No internet access through that gateway, just a point to point tunnel. It's actually a totally seperate router and everything.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 6
RE: Users bypassing the ISA server???? - 18.Sep.2008 3:40:44 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
I was just looking at the web proxy logs through noon today. The problem user in question showed up in the logs today, regular surfing, typical stuff. He shows up by computer IP (static) as anonymous and the domain user name domain\user1. Then all of the sudden around 11:00 or so he stop showing up as an authenticated user and all I see for that IP is several connections per minute to the ISA server by IP like this:

http://10.10.10.2/wspad.dat

One right after another, and that's all the connections until the end of the log for that computer. What's that all about? Why does it keep trying to reload the wspad data?

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to manning)
Post #: 7
RE: Users bypassing the ISA server???? - 18.Sep.2008 4:46:48 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

connect to other host systems and load printers etc. The load printer thing is a moot point I guess since you have to be an admin to load new drivers.


Actually that is a Local System Policy that can be changed. You can probably do it with a GPO too I suspect.  I do that on our Terminal Server because one of theApplications they use loads/unloads/reloads a virtual printer driver "on the fly"  and the users are not anything but normal users on the Terminal Server

quote:

http://10.10.10.2/wspad.dat

One right after another, and that's all the connections until the end of the log for that computer. What's that all about? Why does it keep trying to reload the wspad data?


I don't know. It may be normal. Look at the time/date on the log,..how far apart are they?  They might not really be back-to-back as it appears. If the person goes off and leaves the machine sitting without any other activity then the only traffic would be the WPAD refreshes. They would appear as one after another even though there is actually a normal amount of time happening between them.

quote:

When they travel to a customer's site they have to be able to connect to their network so that they can interface with the customer's WMS. It is very very rare that the customer isn't using DHCP. However once in a while the customer uses static IPs.


Not sure what to tell you there

_____________________________

Phillip Windell

(in reply to manning)
Post #: 8
RE: Users bypassing the ISA server???? - 18.Sep.2008 5:22:14 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
quote:

ORIGINAL: pwindell

quote:

connect to other host systems and load printers etc. The load printer thing is a moot point I guess since you have to be an admin to load new drivers.


Actually that is a Local System Policy that can be changed. You can probably do it with a GPO too I suspect.  I do that on our Terminal Server because one of theApplications they use loads/unloads/reloads a virtual printer driver "on the fly"  and the users are not anything but normal users on the Terminal Server


I have that set. It doesn't work like I expected. I've chased that issue for some time over on GPAnswers.com to no avail. XP SP2 screwed that up if I remember correctly. Network printers load just fine as would be expected. Connect a printer via USB and you have problems unless the drivers are signed and already loaded. Multifunction devices screw it up even more because regular users cannot plug and play scanner type devices. I had users in the field the other week trying to connect to a Cubiscan device and Windows just kept complaining that they needed to be admins to instal the device. Fortunately one of the owners of the company was with them and could log in an install the device for them. For some reason barcode scanners connect without a hitch. I think windows sees them as a input device like a mouse.

quote:

ORIGINAL: pwindell

quote:

http://10.10.10.2/wspad.dat

One right after another, and that's all the connections until the end of the log for that computer. What's that all about? Why does it keep trying to reload the wspad data?


I don't know. It may be normal. Look at the time/date on the log,..how far apart are they?  They might not really be back-to-back as it appears. If the person goes off and leaves the machine sitting without any other activity then the only traffic would be the WPAD refreshes. They would appear as one after another even though there is actually a normal amount of time happening between them.


I sorted the log by IP so that I could isolate his traffic. His machine was refreshing WPAD at some points a couple times a minute for almost an hour. No other computer had that kind of refresh rate. It is really weird. I thought maybe it was because he was disabling the FW client, but I tried that on another computer and it didn't produce the same result.

And they have to be able to disable the FW client because it interferes with connecting to customers IBM iSeries servers.

quote:

ORIGINAL: pwindell
quote:

When they travel to a customer's site they have to be able to connect to their network so that they can interface with the customer's WMS. It is very very rare that the customer isn't using DHCP. However once in a while the customer uses static IPs.


Not sure what to tell you there


Yeah, I just have to see what I can do to work that one out. I'd rather they couldn't monkey around with network settings, but it is what it is for now.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 9
RE: Users bypassing the ISA server???? - 19.Sep.2008 9:26:00 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

And they have to be able to disable the FW client because it interferes with connecting to customers IBM iSeries servers.


That is fine. It doesn't hurt anything if they do that,..in fact in cases like you describe they do need to do that.  All it does is switch the client from Firewall Client to SecureNAT Client and they are not going to gain any special abilities they didn't have before other than connecting to the server that they are supposed to do.

There are way to fix that so they don't have to do that, but if you are satisfyied with the way that is working there is no point in fooling with it.


_____________________________

Phillip Windell

(in reply to manning)
Post #: 10
RE: Users bypassing the ISA server???? - 19.Sep.2008 9:46:25 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
quote:

ORIGINAL: pwindell

quote:

And they have to be able to disable the FW client because it interferes with connecting to customers IBM iSeries servers.


That is fine. It doesn't hurt anything if they do that,..in fact in cases like you describe they do need to do that.  All it does is switch the client from Firewall Client to SecureNAT Client and they are not going to gain any special abilities they didn't have before other than connecting to the server that they are supposed to do.

There are way to fix that so they don't have to do that, but if you are satisfyied with the way that is working there is no point in fooling with it.



Do tell. Or point in the right direction. I like the way the new client works and would rather users didn't have to monkey around with it.

When the users disable the client it stays disabled too. That is to say when they shut down and then restart the client stays off. I admittedly haven't looked into this very hard, but can I set something, perhaps in the registry, to force the client back on at restarts?

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 11
RE: Users bypassing the ISA server???? - 19.Sep.2008 10:06:37 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
You don't change anything about the FWC. It is what it is and it stays that way.

What you'd have to do is have the Destination IP# of the customerss IBMs be considered by the ISA as part of the Internal LAN,...then the Firewall Client will simply ignore the traffic and let it go on its merry way unmolested.

However, how you actually create this situation with the IBM Server can vary. A lot depends on the exact details of the situation.  That is why I didn't just jump right into the subject if you were getting by as you were.

_____________________________

Phillip Windell

(in reply to manning)
Post #: 12
RE: Users bypassing the ISA server???? - 19.Sep.2008 10:47:43 AM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Oh, yeah that makes sense. And when they aren't on our network the FWC disables itself anyway, so I wouldn't have to worry about that.

Next bit of info I found. Not sure if this is something to be concerned with, but it looks fishy. I'm going through the Firewall logs, sorted by original client IP. I noticed dozens of connections like this:

Protocol = UDP
Source= 10.10.10.150:56082 (clients static IP and ? port)
Destination=216.22.18.6:53
Source=Internal
Destination=External
Rule=All Open
Application Protocol=DNS
Agent=svchost.exe:3:5.1

Why is this computer making DNS reguests? And why would they go out to 216.22.18.6 which resolves to KS3.co.spb.ru which is in Russia. Not that there is anything wrong with Russia. The majority of the other DNS requests that I see are all coming from my, of all things, DNS servers. His requests show up every hour that he was logged onto the network at the same minute of each hour for 5 seconds or so, so it is on a regular schedule.

I also noticed an oddball DHCP reply from that computer, again the agent was svchost.exe:3:5.1, and this is the only DHCP reply in the log.

< Message edited by manning -- 19.Sep.2008 10:53:56 AM >


_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 13
RE: Users bypassing the ISA server???? - 19.Sep.2008 11:03:46 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
quote:

Why is this computer making DNS reguests? And why would they go out to 216.22.18.6 which resolves to KS3.co.spb.ru which is in Russia. Not that there is anything wrong with Russia. The majority of the other DNS requests that I see are all coming from my, of all things, DNS servers. His requests show up every hour that he was logged onto the network at the same minute of each hour for 5 seconds or so, so it is on a regular schedule.


Possibles:

1. Rogue DNS settings in the TCP/IP Config of the machine.  Can be seen with "IPConfig /All"

2. User is making outbound Remote Access connections  (dialup, or VPN).  The DuN would pickup a DNS IP# from the DHCP of whatever they connected to. But when the mahcine tried to dens a query to that DNS the Firewall Client intercepts it and sends it through the ISA,...hence it shows up in the logs.

3.  Viruses, Spyware, Adware, Malware, Browser Plugins, ActiveX Controls on Web Sites.  All guesses or course,..I don't know.

quote:

I also noticed an oddball DHCP reply from that computer, again the agent was svchost.exe:3:5.1, and this is the only DHCP reply in the log.  


Also #3 above.


_____________________________

Phillip Windell

(in reply to manning)
Post #: 14
RE: Users bypassing the ISA server???? - 19.Sep.2008 1:07:04 PM   
manning

 

Posts: 121
Joined: 9.Oct.2006
Status: offline
Alright. I think I have more than enough justification to audit his computer.

Pretty sad that I have to jump through hopes to justify this to management.

Thanks, I'll let you all know what I find.

_____________________________

Manning

I only do this because I have to.

ISA 2006 standard on Server 2k3 R2

(in reply to pwindell)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> Users bypassing the ISA server???? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts